Another Aadhaar Leak, and Yet Another Blame Game

The Unique Identity Authority of India, which administers the Aadhaar program, is again facing harsh criticism about its security measures.

This time, State Bank of India, the nation's largest bank, is claiming that security gaps in UIDAI systems opened the door to the generation of fake Aadhaar cards.

The solution to Aadhaar security issues is for everyone involved to work together. The blame game solves nothing.

But UIDAI insists its systems are secure.

Rather than playing a blame game, government-owned banks, including SBI, as well as UIDAI and other government entities must collaborate to enhance security.

The Accusations

Public sector banks in India have been entrusted with the task of helping UIDAI with Aadhaar enrollments, for which they hire vendors empaneled by UIDAI.

SBI's Chandigarh branch says it hired two vendors for the enrollment task and later discovered that fake Aadhaar cards were generated by one of the vendors, which allegedly used multiple station IDs or devices. A station ID is basically a device ID for a computer or laptop used. Any device used for Aadhaar enrollment must have a device ID as part of the authenticated ID.

SBI said its officials or the vendor did not create these multiple station IDs, so there must have been holes in UIDAI's security system that allowed "someone to hack the system and generate multiple station IDs."

Countering the charge, UIDAI said: "The Aadhaar database is fully secured and no security breach biometric or otherwise, has taken place." It claimed that one of the agents at a vendor hired by SBI used his ID to generate Aadhaar cards using multiple station IDs.

Persistent Problem

There have been multiple issues with vendors who have been accused of not following proper security guidelines. Last year, UIDAI blacklisted 49,000 Aadhaar centers run by vendors who did not follow appropriate security guidelines.

Plus, in recent years, there have been a series of security lapses involving Aadhaar.

Since those incidents, the government has introduced a slew of measures designed to help close security gaps, including introducing Virtual Aadhaar ID that allows users to authenticate transactions.

But UIDAI still has a long way to go in improving communications when security concerns arise, rather than just offering the standard response: "We are safe."

UIDAI needs to engage with the security community to understand and address their concerns. Minimizing communications out of concern for not revealing security details has so far not served it well.

All Parties Have a Role to Play

Because SBI hired vendors to handle Aadhaar enrollments for its customers, it's responsible for ensuring that enrollments are completed only through devices in its physical and logical control (see: Helpline Mishap: UIDAI Wrongly Blamed).

But UIDAI also must monitor empaneled vendors to help prevent fraudulent activities and punish those who commit infractions.

Bangalore-based cyber law expert Na. Vijayshankar suggests UIDAI must put implement additional technological controls to ensure that only one station ID is granted per person.

"Unless it is deactivated, a second station ID should not be provided. This means that the operators need one human agent for every station ID," he says.

UIDAI also should instruct banks to use RFID tags to ensure there is an automatic log out once an enrollment system user leaves their desk.

The solution to Aadhaar security issues is for everyone involved to work together. The blame game solves nothing.

About the Author

Suparna Goswami is principal correspondent at ISMG Asia and has more than 10 years of experience in the field of journalism. She has covered a variety of beats ranging from global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine, and leading Indian newspapers like DNA and Times of India.

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.